b'  Department of Health and Human Services\n                     OFFICE OF\n                INSPECTOR GENERAL\n\n\nINFORMATION SECURITY WEAKNESSES\n POSE RISK TO OPERATIONS AND THE\n MISSION OF THE SUBSTANCE ABUSE\n   AND MENTAL HEALTH SERVICES\n         ADMINISTRATION\n\n\n\n\n    Inquiries about this report may be addressed to the Office of Public Affairs at\n                             Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                                     Thomas M. Salmon\n                                                 Assistant Inspector General\n\n                                                       September 2013\n                                                        A-18-12-30420\n\x0c                        Office of Inspector General\n                                         https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at http://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                   EXECUTIVE SUMMARY\n\n Information security controls at the Substance Abuse and Mental Health Service\n Administration were inadequate because the Information Technology Infrastructure and\n Operations organization had not implemented and monitored the information security\n protections.\n\nWHY WE DID THIS REVIEW\n\nOffice of Management and Budget Circular A-130, appendix III, requires that agencies\nimplement and maintain a security program to assure that adequate security is provided for all\nsupport systems and major applications. The Federal Information Security Management Act of\n(FISMA) 2002 provides a comprehensive framework for ensuring the effectiveness of\ninformation security controls over information resources and provides for development and\nmaintenance of minimum controls required to protect Federal information and information\nsystems.\n\nThe selection and implementation of appropriate security controls for an information system are\nimportant tasks that can have major implications on the operations and assets of an organization\nas well as the welfare of individuals and the Nation. Security controls are the management,\noperational, and technical safeguards or countermeasures employed within an organizational\ninformation system to protect the confidentiality, integrity, and availability of the system and its\ninformation.\n\nOBJECTIVE\n\nOur objective was to assess the adequacy of information security controls by evaluating\nSubstance Abuse and Mental Health Services Administration\xe2\x80\x99s (SAMHSA) inventory\nmanagement, patch management, antivirus management, event management, logical access,\nencryption, web vulnerability assessment and Universal Serial Bus (USB) port controls that are\nowned and managed by Information Technology Infrastructure and Operations (ITIO).\n\nBACKGROUND\n\nOffice of Management and Budget Circular A-130, appendix III, requires that agencies\nimplement and maintain a security program to assure that adequate security is provided for all\nsupport systems and major applications. FISMA provides a comprehensive framework for\nensuring the effectiveness of information security controls over information resources and\nprovides for development and maintenance of minimum controls required to protect Federal\ninformation and information systems.\n\nThe selection and implementation of appropriate security controls for an information system are\nimportant tasks that can have major implications on the operations and assets of an organization\nas well as the welfare of individuals and the Nation. Security controls are the management,\noperational, and technical safeguards or countermeasures employed within an organization\n\nReport No. A-18-12-30420                                                                    i\n\x0cinformation system to protect the confidentiality, integrity, and availability of the systems and its\ninformation.\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe reviewed selected information technology (IT) security controls in effect as of June 2012.\nThese controls were inventory management, patch management, antivirus management, event\nmanagement, logical access, encryption, web vulnerability management and USB port control\nmanagement. For our review we used Federal and Departmental policies as our principle\ncriteria. We did not review the overall internal control structure of SAMHSA. We performed\nour fieldwork at SAMHSA\xe2\x80\x99s offices in Rockville, Maryland.\n\nWHAT WE FOUND\n\nWe found five categories of vulnerabilities:\n\n   1. Inventory Management. \xe2\x80\x93 The records given to us by ITIO had different totals of\n      computers it managed for SAMHSA. Inventory was not tracked and managed effectively\n      and therefore neither ITIO nor SAMHSA was able to account for all SAMHSA IT assets\n      and ensure their security compliance.\n\n   2. Patch Management. \xe2\x80\x93 SAMHSA did not ensure that ITIO had effectively implemented its\n      patch management program for those devices managed by ITIO. We identified\n      vulnerabilities within the SAMHSA network that if exploited could have led to\n      unauthorized disclosure, modification, or non-availability of critical data.\n\n   3. Antivirus Management. - ITIO and SAMHSA did not ensure that all of the SAMHSA\n      computers and servers managed by ITIO had updated antivirus signatures.\n\n   4. Logical Access. \xe2\x80\x93 ITIO and SAMHSA did not implement an effective logical access\n      control process for its user accounts and did not conduct sufficient reviews to ensure that\n      only valid users had access to their information system.\n\n   5. USB Port Control Access. \xe2\x80\x93 ITIO and SAMHSA did not have any technical controls to\n      prevent unauthorized and unencrypted USB devices from connecting to SAMHSA\n      computers.\n\nWHAT WE RECOMMEND\n\nWe recommend that SAMHSA meet with the Assistant Secretary for Administration to address\nthe issues identified in this report. In addition, we recommend that SAMHSA ensure that ITIO\nimplements the 17 detailed recommendations in Appendix A to address the specific findings we\nidentified.\n\n\n\n\nReport No. A-18-12-30420                                                                    ii\n\x0cAUDITEE COMMENTS\n\nIn written comments on our draft report, SAMHSA concurred with all of our recommendations\nand described the actions they will take to implement them. We have included SAMHSA\xe2\x80\x99s\ncomments in their entirety in Appendix D.\n\n\n\n\nReport No. A-18-12-30420                                                          iii\n\x0c                                                TABLE OF CONTENTS\n                                                                                                                              Page\n    INTRODUCTION .................................................................................................................. 1\n       OBJECTIVE ....................................................................................................................... 1\n       BACKGROUND ................................................................................................................ 1\n       HOW WE CONDUCTED THIS REVIEW ........................................................................ 2\n    FINDINGS .............................................................................................................................. 3\n       Inventory Management ....................................................................................................... 3\n       Patch Management .............................................................................................................. 4\n       Antivirus Management........................................................................................................ 6\n       Logical Access \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa68\n       USB Port Control Management \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..9\n    RECOMMENDATIONS ...................................................................................................... 11\n    APPENDIXES\n       A: AUDIT RECOMMENDATIONS .............................................................................. 11\n       B: AUDIT SCOPE AND METHODOLOGY ................................................................. 13\n       C: CRITERIA AND FEDERAL REQUIREMENTS\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. 14\n       D: SAMHSA RESPONSE\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6... 19\n\n\n\n\nReport No. A-18-12-30420                                                                                                       iv\n\x0c                                        INTRODUCTION\n\nWHY WE DID THIS REVIEW\n\nOffice of Management and Budget Circular A-130, appendix III, requires that agencies\nimplement and maintain a security program to assure that adequate security is provided for all\nsupport systems and major applications. The Federal Information Security Management Act\n(FISMA) provides a comprehensive framework for ensuring the effectiveness of information\nsecurity controls over information resources and provides for development and maintenance of\nminimum controls required to protect Federal information and information systems.\n\nThe selection and implementation of appropriate security controls for an information system are\nimportant tasks that can have major implications on the operations and assets of an organization\nas well as the welfare of individuals and the Nation. Security controls are the management,\noperational, and technical safeguards or countermeasures employed within the organizational\ninformation system to protect the confidentiality, integrity, and availability of the system and its\ninformation.\n\nOBJECTIVE\n\nOur objective was to assess the adequacy of information security controls by evaluating\nSubstance Abuse and Mental Health Services Administration\xe2\x80\x99s (SAMHSA) inventory\nmanagement, patch management, antivirus management, event management, logical access,\nencryption, web vulnerability assessment and Universal Serial Bus (USB) port controls that are\nowned and managed by Information Technology Infrastructure and Operations (ITIO).\n\nBACKGROUND\n\nInformation Security\n\nOffice of Management and Budget Circular A-130, appendix III, requires that agencies\nimplement and maintain a security program to assure that adequate security is provided for all\nsupport systems and major applications. FISMA provides a comprehensive framework for\nensuring the effectiveness of information security controls over information resources and\nprovides for development and maintenance of minimum controls required to protect Federal\ninformation and information systems.\n\nIn recent years, legislation and Presidential Decision Directives have focused on safeguards for\ncritical systems, assets, and infrastructures within the public and private sectors. The most recent\nenactment was FISMA, Public Law 107-347, Title III. The purpose of the law is to provide a\ncomprehensive framework for ensuring the effectiveness of information resources that support\nFederal operations and assets, and provide a mechanism for improved oversight of Federal\nagency information security programs.\n\nThe selection and implementation of appropriate security controls for an information system are\nimportant tasks that can have major implications on the operations and assets of an organization\nReport No. A-18-12-30420                                                                    1\n\x0cas well as the welfare of individuals and the Nation. Security controls are the management,\noperational, and technical safeguards or countermeasures employed within an organizational\ninformation system to protect the confidentiality, integrity, and availability of the system and its\ninformation.\n\nSubstance Abuse and Mental Health Services Administration\xe2\x80\x99s Mission\n\nSAMHSA\xe2\x80\x99s mission is to reduce the impact of substance abuse and mental illness on America\xe2\x80\x99s\ncommunities. In 2011 alone, approximately 20 million people who needed substance abuse\ntreatment did not receive it and an estimated 10.6 million adults reported an unmet need for\nmental health care. As a result the health and wellness of the individual is jeopardized and the\nunnecessary costs to society ripples across America\xe2\x80\x99s communities, schools, business, prisons &\njails, and healthcare delivery systems.\n\nSAMHSA\xe2\x80\x99s Division of Technology Management, Information Technology (DTM-IT)\nmaintains and manages 24 laptops. The 24 laptops are used by SAMHSA\xe2\x80\x99s employees when on\nofficial travel. SAMHSA\xe2\x80\x99s, DTM-IT security management is responsible for patching and\nproviding antivirus updates to the 24 laptops.\n\nOffice of the Secretary Managed Information Technology\n\nThe information technology (IT) needs of SAMHSA, are supported by a contractor. The\ncontract is managed by the Office of the Secretary (OS) ITIO group. Through the ITIO, OS has\nawarded a competitive, multi-year IT service contract to Lockheed Martin. The Service\nLimitation Agreement (SLA) includes task order awards for computers and infrastructure\nsupport, for business application hosting, and for continuity of operations and disaster recovery\nplanning. The contractor is responsible for managing the network infrastructure (i.e., the\nnetwork, routers, firewalls, and general use servers) and user desktops for SAMHSA and other\nsmall OPDIVs. ITIO has oversight responsibilities over the contractor to ensure that all aspects\nof the contract are successfully completed.\n\nITIO is responsible for the core switches, routers, and firewalls used to connect to the SAMHSA\nnetwork. ITIO is also responsible for antivirus and patching updates for workstations that\nSAMHSA\xe2\x80\x99s employees use.\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe reviewed selected SAMHSA IT security controls in effect as of June 2012. These controls\nwere inventory management, patch management, antivirus management, event management,\nlogical access, encryption, Web vulnerability assessment, and USB port control management.\nFor our review we used Federal and Departmental policies as our principle criteria. We did not\nreview the overall internal control structure of SAMHSA because it was not directly related to\nour objective. We performed our fieldwork at SAMHSA\xe2\x80\x99s offices in Rockville, Maryland.\n\n\n\n\nReport No. A-18-12-30420                                                                    2\n\x0c                                            FINDINGS\n\nWe conducted interviews with SAMHSA\xe2\x80\x99s and ITIO\xe2\x80\x99s security and IT personnel, reviewed\npolicies and procedures, and tested controls in place. We found that some controls over the\nSAMHSA network and logical access were inadequate. We particularly noted that the ongoing\nproblem with establishing an accurate computer inventory adversely affected the reliability of\nother processes such as patch and antivirus management.\n\nInformation security controls at SAMHSA were inadequate because ITIO had not implemented\nand monitored all the information security protections. Our report includes five findings relating\nto inventory management, patch management, antivirus management, logical access and Port\nControl Access for SAMHSA and ITIO senior management consideration.\n\nAlthough we did not find evidence that these weaknesses had been exploited, exploitation could\nresult in unauthorized access to, and disclosure of, sensitive information and disruption of critical\noperations for the SAMHSA. As a result, we believe the weaknesses are collectively and, in\nsome cases, individually significant and could potentially compromise the integrity of the\nSAMHSA network.\n\nInventory Management\n\nInventory management is a critical process in effectively managing ITIO owned workstations,\nlaptops, servers, and other IT components. ITIO must properly assess IT inventory to ensure\naccuracy and an adequate protection of all systems connected to the network. Additionally, the\nFISMA reporting template for FY 2012 requires that HHS, of which SAMHSA is a part, to fully\naccount for and report all IT assets on its network (e.g., routers, servers, workstations, laptops,\nand blackberries) to provide visibility at the organization level.\n\nInventory was not tracked and managed effectively by ITIO and therefore neither SAMHSA nor\nITIO were able to account for all of SAMHSA\xe2\x80\x99s IT assets. Our analysis identified the following\nexceptions:\n\n   \xe2\x80\xa2   HHS departmental policy on the Property Management Information System (PMIS)\n       which was mandated by the Assistant Secretary for Administration and Management\n       (ASAM) on June 24, 2004, requires all assets be tracked in an asset inventory database.\n       ITIO did not use PMIS to track Property Plant and Equipment (PP&E) records for those\n       assets that were owned and managed by ITIO and used by SAMHSA\xe2\x80\x99s employees.\n\n   \xe2\x80\xa2   ITIO had not established an effective method for IT asset inventory management. There\n       were no controls in place to ensure an accurate count of those IT assets used by\n       SAMHSA\xe2\x80\x99s personnel that were owned and managed by ITIO. During our review,\n       SAMHSA and ITIO provided a number of inventory listings from these tools of total\n       assets managed by ITIO that did not agree, revealing major discrepancies.\n\n\n\n\nReport No. A-18-12-30420                                                                    3\n\x0c           o SAMHSA\xe2\x80\x99s inventory list of servers showed four servers running Windows 2000\n             on its network, while the Symantec Risk Assessment Suite (RAS) tool managed\n             by ITIO reported seven servers running Windows 2000.\n\n           o The report generated by the Altiris patch management tool did not display\n             operating systems for two workstations. This was inconsistent with RAS, as RAS\n             displayed 33 workstations running operating systems that were \xe2\x80\x9cunknown\xe2\x80\x9d under\n             ITIO managed assets. Additionally, the RAS report also displayed 17\n             unauthorized SAMHSA managed machines active on the network.\n\n           o RAS displayed two Linux servers running on the SAMHSA network that, ITIO\n             Security Operations Center staff could not identify.\n\nNeither ITIO nor SAMHSA could explain why there was differences between the various\nlistings nor why outdated operating system software remained in service. Without effectively\ncontrolling its hardware inventory, SAMHSA and ITIO were unable to account for and ensure\nsecurity compliance of all its IT assets, such as current patch levels and anti-virus deployment\nstatus.\n\nBecause of these exceptions, SAMHSA and ITIO were unable to effectively implement\nstandardized configuration requirements to protect SAMHSA\xe2\x80\x99s network from possible malicious\nattacks. Without an accurate accounting of its IT asset inventory, SAMHSA and ITIO were\nunable to know whether all computers were adequately protected. Using operating systems that\nare no longer supported by the vendor exposed SAMHSA computing resources and data owned\nand managed by ITIO to unnecessary risk because known security vulnerabilities were not\nremediated. All of these issues also contributed to SAMHSA\xe2\x80\x99s and ITIO\xe2\x80\x99s being unable to\nappropriately determine SAMHSA\xe2\x80\x99s overall security posture, and to effectively implement a\nsecurity monitoring program that is both continuous and automated.\n\nAUDITEE COMMENTS\n\nSAMHSA concurred with all of our recommendations.\n\nPatch Management\n\nPatch management is the process of identifying, reporting, and effectively remediating\ninformation system flaws in an operational system. Timely patching helps organizations\nmaintain operational efficiency and effectiveness, overcome security vulnerabilities, and\nmaintain stability in the production environment. Organizations that cannot establish an\ninformation security control program that is both mature and based on a rigorous set of controls\nand processes might have a number of security vulnerabilities that, if exploited, could lead to\nunauthorized access of sensitive data. Minimizing this threat requires organizations to have\nproperly configured systems, to use the latest software supported by the vendor, and to have the\nrecommended efficiency and security patches installed.\n\n\n\nReport No. A-18-12-30420                                                                  4\n\x0cITIO did not effectively implement a patch management program for those assets it owns and\nmanages for SAMHSA. ITIO gave us a partial listing of patches that it had implemented. We\nnoted the following exceptions:\n\n   \xe2\x80\xa2   ITIO was unable to provide patch status reports covering our requested timeframe\n       (December \xe2\x80\x93 May 2012). Therefore, we were unable to determine whether servers and\n       workstations owned and managed by ITIO for SAMHSA received the applicable security\n       patches.\n\n   \xe2\x80\xa2   ITIO could not provide us evidence to support that periodic reviews of installed and\n       missing security patches were done on SAMHSA systems. We could not determine\n       whether ITIO had given patch implementation reports to SAMHSA\xe2\x80\x99s Chief Information\n       Security Officer (CISO).\n\n   \xe2\x80\xa2   Neither SAMHSA nor ITIO were reconciling inventory reports with patching or antivirus\n       compliance reports. We found inconsistencies within the inventory reports provided by\n       ITIO. As a result, we were unable to determine whether all workstations and servers\n       were properly patched. For example, an ITIO inventory listing displayed 748\n       workstations but the patch compliance report displayed 707 machines.\n\n   \xe2\x80\xa2   SAMHSA officials stated that non-governmental machines were allowed to access\n       SAMHSA\xe2\x80\x99s network.\n\nIn addition, we identified four Windows 2000 Servers and one Windows Server 2003 R2 SP1 on\nthe ITIO inventory listing. Windows 2000 Server reached its end of life (EOL) on July 13, 2010.\nWindows Server 2003 R2 SP1 reached its EOL on March 13, 2009. In the patching and\nantivirus world, end of life indicates that the computer product has reached its useful lifetime and\nthe vendor will no longer be marketing, selling, supporting or provide patches.\n\nSAMHSA relied on ITIO to generate periodic reviews and reports for SAMHSA\xe2\x80\x99s IT\nmanagement. However, ITIO failed to provide that information to us. Additionally, neither\nSAMHSA nor ITIO reconciled the inventory to validate the accuracy of the assets owned and\nmanaged by ITIO for SAMHSA.\n\nFor non-government machines, SAMHSA stated that it follows the HHS/ITSC Program Security\nGuide. This guideline requires that foreign hardware (non-governmental machines), whether\nlaptops or desktops, be configured with a minimum baseline security set-up. The baseline\nincluded patching, antivirus, file encryption, and firewall settings. Systems that were not\nconfigured to meet these requirements were required to be issued a network connection denial\nnotice.\n\nWithout proper procedures for patch installations and monitoring, SAMHSA and ITIO exposed\nits operating systems to attacks. Running un-patched computers and servers left SAMHSA\nsystems susceptible to exploits that could have led to unauthorized disclosure, modification, or\nnon-availability of critical data. Compromised computers can be used as a jumping off point for\nhackers to attack other resources in the network. Furthermore, as part of an effective information\nReport No. A-18-12-30420                                                                   5\n\x0csecurity continuous monitoring strategy, the SAMHSA CISO should have received monthly\nreports for controls with more volatility (e.g., patch and anti-virus distribution) or on controls for\nwhich there have been weaknesses or lack of compliance.\n\nIn addition, without an accurate inventory of components within the organization, SAMHSA and\nITIO were unable to ensure that all applicable computers and servers were properly patched.\n\nAUDITEE COMMENTS\n\nSAMHSA concurred with all of our recommendations.\n\nAntivirus Management\n\nAntivirus management is the automated process used to effectively identify, isolate, and\neliminate suspected malicious software for computer security virus protection. Antivirus\nsoftware should be implemented and maintained at critical information system entry points and\ncomputers on a network to detect and eradicate malicious code transported by email, removable\nmedia, or other methods. Antivirus controls are important for the detection and removal of\nmalicious software such as computer viruses, worms, and trojans, which can infect a computer\nsystem or network.\n\nOur analysis of the antivirus management reports indicated that not all ITIO owned and managed\ncomputers and servers used for SAMHSA\xe2\x80\x99s operations had updated signatures. An antivirus\nsignature is an algorithm or hash (a number derived from a string of text) that uniquely identifies\na specific virus.\n\nNeither SAMHSA nor ITIO security management gave any indication as to why there was no\ndocumented evidence of antivirus alert remediation. In addition, SAMHSA and ITIO\nmanagement did not include a follow-up process for computers with outdated timestamps or\nprocess for servers within ITIOs antivirus Standard Operating Procedures (SOP). We noted the\nfollowing exceptions from the antivirus data and reports provided:\n\n   \xe2\x80\xa2   We judgmentally selected thirty desktop and laptop user accounts from SAMHSA\xe2\x80\x99s\n       Active Directory (AD) list to review the antivirus engine and signature timestamps. We\n       reviewed SAMHSA\xe2\x80\x99s Symantec Endpoint Protection report dated August 09, 2012. The\n       report indicated that virus signatures for:\n\n           o Two of the thirty ITIO owned and managed systems were last updated with the\n             antivirus signature 47 and 364 days prior, to report date.\n\n           o One ITIO owned and managed server was last updated with the antivirus\n             signature on November 21, 2011.\n\n   \xe2\x80\xa2   We were unable to determine whether all servers were updated with applicable antivirus\n       timestamps due to SAMHSA\xe2\x80\x99s and ITIO\xe2\x80\x99s inability to reconcile the various server\n       inventory lists.\nReport No. A-18-12-30420                                                                     6\n\x0c           o Three servers that received the latest Symantec Signature updates for antivirus\n             were not included on one of the ITIO inventory server lists.\n\n           o There were 16 servers not found on the Symantec Signature Timestamp antivirus\n             listing that appeared on the two server listings provided by ITIO. Therefore the\n             status of these servers could not be determined.\n\n   \xe2\x80\xa2   Both SAMHSA and ITIO were alerted 120 times from ITIO\xe2\x80\x99s Nitro Security Information\n       and Event Management (SIEM) tool, between 04/14/2012 to 08/27/2012. However,\n       neither SAMHSA nor ITIO was able to provide documentation to support follow-up or\n       remediation of the alerts.\n\n   \xe2\x80\xa2   ITIO antivirus SOP did not contain follow-up processes for machines not in compliance\n       with latest antivirus time stamp and did not cover follow-up procedures for servers.\n\n   \xe2\x80\xa2   The ITIO\xe2\x80\x99s computer naming convention did not identify SAMHSA or any of the other\n       OPDivs, nor reference either the state or district (e.g. MD or Washington, DC) associated\n       with the IP address. HHS policy requires that the inventory database should at a\n       minimum distinguish the name, location, asset identification (ID), owner, and description\n       of the use.\n\nNeither SAMHSA nor ITIO security management could provide a reason why the timestamps\nfor the two tested computers were not current. ITIO management did not create specific naming\nconventions for its laptops/desktops and/or servers to differentiate computer inventory between\nthe OPDIVs.\n\nWithout adequately documented procedures, SAMHSA computing resources that are owned and\nmanaged by ITIO may not be effectively protected.\n\nViruses can cause serious damage to systems. Failure to keep antivirus software signatures up to\ndate can result in the widespread distribution of viruses within SAMHSA\xe2\x80\x99s network. The\nconcerns relating to antivirus are that:\n\n   \xe2\x80\xa2   Without proper installation of antivirus software, users may mistakenly believe that their\n       system are virus-free and may inadvertently spread a virus.\n\n   \xe2\x80\xa2   Without proper naming conventions, ITIO cannot achieve effective accountability for\n       updating antivirus.\n\n   \xe2\x80\xa2   Without indicating actions taken, no determination can be made that security\n       management has reviewed and/or remediated the virus alert.\n\nAUDITEE COMMENTS\n\nSAMHSA concurred with all of our recommendations.\nReport No. A-18-12-30420                                                                 7\n\x0cLogical Access\n\nLogical access controls provide reasonable assurance that management protects computer\nresources against unauthorized modification, disclosure, loss, or impairment. Inadequate access\ncontrols over computerized data increases the risk of destruction or inappropriate disclosure of\ndata. Logical access controls include the process over authorization requests, creation of\naccounts, certification/approval of access, and termination processes.\n\nWe reviewed user account privileges in AD, performed an assessment of key AD dates, and\nreviewed Virtual Private Network (VPN) data. Our analysis identified the following exceptions\nto the 644 SAMHSA user accounts:\n\n   \xe2\x80\xa2   ITIO had 15 SAMHSA user accounts with a last password change date greater than 60\n       days.\n\n   \xe2\x80\xa2   ITIO had seven SAMHSA user accounts with a last log on date greater than 60 days.\n\n   \xe2\x80\xa2   ITIO had one SAMHSA account with a password status of \xe2\x80\x9cNot Required\xe2\x80\x9d.\n\n   \xe2\x80\xa2   ITIO had three SAMHSA remote user accounts with last password change date greater\n       than 60 days.\n\n   \xe2\x80\xa2   ITIO had one SAMHSA remote user account with last log on date greater than 60 days.\n\n   \xe2\x80\xa2   ITIO had four separated SAMHSA employees that were still on the AD listing that had\n       not been disabled. One terminated employee was also on the remote user list.\n\n   \xe2\x80\xa2   ITIO had several SAMHSA generic and generic administrative user accounts still in their\n       Active Directory.\n\nSAMHSA\xe2\x80\x99s and ITIO\xe2\x80\x99s security management stated that they did not review the user access\nprivileges for SAMHSA\xe2\x80\x99s AD and remote access accounts.\n\nInadequate controls over access accounts diminishes the safety and reliability of data, and\nincreases the risk of an unauthorized user gaining access, or an authorized user elevating his or\nher privileges without management knowledge. Without a logical control process that meets\nrequirements, management is not assured that individual users are properly identified, access is\nrestricted to properly authorized users, and user activity is restricted to authorized functions.\n\nAUDITEE COMMENTS\n\nSAMHSA concurred with all of our recommendations.\n\n\n\nReport No. A-18-12-30420                                                                  8\n\x0cUSB Port Control Access\n\nIn today\xe2\x80\x99s computing environment, the confidentiality of information stored on USB devices\nfaces many threats, both unintentional (e.g., human error, device loss) and intentional (e.g.,\ntheft). Intentional threats are posed by people with many different motivations, including the\ndesire to cause mischief and disruption and to commit identity theft and other fraud. Someone\nwith physical access to a device has many options for attempting to view or copy the information\nstored on the device. Malware, another common threat, can give attackers unauthorized access\nto a device, transfer information from the device to an attacker\xe2\x80\x99s system, and perform other\nactions that jeopardize the confidentiality of the device\xe2\x80\x99s information.\n\nTo prevent unauthorized access to information, particularly to personally identifiable information\n(PII) and other sensitive data, the information needs to be secured. Encryption is the primary\nsecurity control for restricting access to sensitive information stored on end-user devices.\nEncryption may be applied granularly to individual files or broadly to all stored data. The\nappropriate encryption solution depends primarily on the type of storage, the amount of\ninformation that needs to be protected, where the storage will be located, and the threats that\nneed to be mitigated. Encryption should always be used on portable devices that are used to\nstore or transport sensitive information.\n\nITIO security management did not have technical controls on the computers they owned and\nmanaged for SAMHSA to prevent unauthorized and unencrypted USB devices from connecting\nto SAMHSA computers. The security software used allowed users to choose between encrypting\nand not encrypting the devices. However, we found that if the user elects not to encrypt, the\nsoftware still allowed the user to download data onto the device.\n\nWe judgmentally selected 10 computers, and used an application called USBDeview to list all\nUSB devices that had been connected to the computers. The USBDeview software detected\nmultiple unencrypted Pantech phones, android phones, wireless Bluetooths and USB mass\nstorage devices that had been connected to the 10 computers tested. SAMHSA used the\nCheckpoint Endpoint Security Tool which could provide device control on the ten computers\ntested. However, based on the results of our testing of devices that had been attached to\nSAMHSA\xe2\x80\x99s computers through USB ports SAMHSA did not use these functions to block\nunauthorized devices from attaching to their computers and preventing data from being written\nonto unauthorized USB devices. Without such controls, there is a risk that confidential data\ncould be written onto an unauthorized/unencrypted USB device and taken out of the SAMHSA\xe2\x80\x99s\nspaces, possibly resulting in a data breach.\n\nITIO did not use the full functionality of its Checkpoint Endpoint Security Tool to block\nunauthorized devices from attaching to the computers ITIO owned and managed for SAMHSA.\n\nWithout sufficient USB controls, there is a risk that malicious software could be transferred from\nthe USB devices to those computers owned and managed by ITIO for SAMHSA and\nsubsequently into the SAMHSA\xe2\x80\x99s network. In addition, critical/sensitive information could be\nstored and transferred to unencrypted devices and removed from SAMHSA work spaces.\n\nReport No. A-18-12-30420                                                                 9\n\x0cAUDITEE COMMENTS\n\nSAMHSA concurred with all of our recommendations.\n\n\n                                  RECOMMENDATIONS\n\nWe recommend that SAMHSA meet with the Assistant Secretary for Administration to address\nthe issues identified in this report. In addition, we recommend that SAMHSA ensures that ITIO\nimplements the 17 detailed recommendations in Appendix A to address the specific findings we\nidentified.\n\n\n\n\nReport No. A-18-12-30420                                                            10\n\x0c                                                                            APPENDIX A\n\n\n\n                         APPENDIX A: RECOMMENDATIONS\n\n\n                                         Office of Inspector General\nFindings                          Risk   Recommendations\nTo address the Inventory          High      \xe2\x80\xa2 Implements the Departmental Property\nManagement issues identified in                 Management Information System (PMIS)\nthis report, we recommend that                  in order to provide a continuous monitoring\nSAMHSA ensures ITIO:                            program to SAMHSA that will accurately\n                                                account for all IT assets, and provide\n                                                comprehensive reporting to the SAMHSA\n                                                Chief Information Officer (CIO).\n\n                                            \xe2\x80\xa2   Updates inventory to include all computers\n                                                and servers connecting to the SAMHSA\n                                                network that are managed by ITIO.\n                                                Employ controls that ensure an effective\n                                                method for tracking computer inventory is\n                                                implemented.\n\n                                            \xe2\x80\xa2   Upgrades or replace all servers with End-\n                                                of-Life (EOL) operating systems to\n                                                operating systems supported by the vendor\n\nTo address the Patch Management High        \xe2\x80\xa2   Security team ensure that patch reports are\nissues identified in this report we             accessible to SAMHSA\xe2\x80\x99s Chief\nrecommend that SAMHSA ensures                   Information Security Officer.\nITIO:\n                                            \xe2\x80\xa2   Should reconcile SAMHSA\xe2\x80\x99s inventory\n                                                and patch report data, at least monthly, to\n                                                determine whether all assets are\n                                                appropriately patched.\nTo address the Antivirus          High      \xe2\x80\xa2   Update all computers and servers running\nManagement issues identified in                 out of date antivirus timestamp signatures.\nthis report we recommend that\nSAMHSA ensures ITIO:                        \xe2\x80\xa2   Establish effective procedures to monitor\n                                                and remediate computers with out-of-date\n                                                timestamp signatures.\n\n                                            \xe2\x80\xa2   Document logging alerts that have been\n                                                remediated.\n\n                                            \xe2\x80\xa2   Add the following processes to ITIO\xe2\x80\x99s\n                                                Infrastructure Operations Standard\n\n\nReport No. A-18-12-30420                                                          11\n\x0c                                                                            APPENDIX A\n\n\n                                               Operating Procedure (SOP):\n\n                                                          \xe2\x88\x92 Follow-Up process for\n                                                            computers not in\n                                                            compliance with latest\n                                                            antivirus time stamps within\n                                                            SOP.\n                                                          \xe2\x88\x92 Process for server antivirus\n                                                            management.\n\n                                           \xe2\x80\xa2   Create naming conventions that include\n                                               computer names that will define which\n                                               organization it has been assigned to.\n\nTo address the Logical Access       High   \xe2\x80\xa2   Disable accounts inactive greater than 60\nissues identified in this report we            days and subsequently delete accounts\nrecommend that SAMHSA ensures                  determined to be no longer needed greater\nITIO:                                          than 90 days.\n\n                                           \xe2\x80\xa2   Delete user accounts of terminated\n                                               employees.\n\n                                           \xe2\x80\xa2   Should disable, delete, or provide a waiver\n                                               for the user account with a password status\n                                               of \xe2\x80\x9cNot Required\xe2\x80\x9d\n\n                                           \xe2\x80\xa2   Periodically review access user control lists\n                                               to determine if accounts are still needed.\n\nTo address the USB Port Control    High    \xe2\x80\xa2   Restrict personnel from connecting\nAccess issues identified in this               unauthorized USB devices to computers.\nreport we recommend that                   \xe2\x80\xa2   Prevent sensitive data from being written to\nSAMHSA ensures ITIO:\n                                               unauthorized/unencrypted USB devices.\n                                           \xe2\x80\xa2   Enforce the Department information\n                                               security policy that restricts the connection\n                                               of personally owned equipment to\n                                               Department systems or networks.\n\n\n\n\nReport No. A-18-12-30420                                                         12\n\x0c                                                                                   APPENDIX B\n\n\n\n                  APPENDIX B: AUDIT SCOPE AND METHODOLOGY\nSCOPE\n\nWe reviewed selected IT security controls in effect as of June 2012. These controls were\ninventory management, patch management, antivirus, event management, logical access,\nencryption, web vulnerability assessment and Universal Serial Bus (USB) port control\nmanagement. Network management refers to the activities that pertain to the operations,\nadministration, maintenance, and configuration of networked systems. Areas of network\nmanagement included in this audit were limited to patch management, antivirus management and\nevent management. We did not review the overall internal control structure of SAMHSA. We\nperformed our fieldwork at SAMHSA\xe2\x80\x99s offices in Rockville, Maryland.\n\nMETHODOLOGY\n\nWe audited SAMHSA\xe2\x80\x99s information security controls by reviewing policies and procedures,\ninterviewing employees, reviewing and analyzing records and reviewing documentation. We\nreviewed:\n   \xe2\x80\xa2   Inventory management process for IT assets to ensure that management monitors and\n       protects property and other assets against waste, loss, unauthorized use, or\n       misappropriation\n   \xe2\x80\xa2   Patch management procedures for patch installations and monitoring\n   \xe2\x80\xa2   Antivirus versions, scan engines and signature timestamps\n   \xe2\x80\xa2   Logical access process, we performed an analysis of their ITIO managed Active\n       Directory (AD) and remote user Virtual Private Network (VPN) accounts and\n   \xe2\x80\xa2   Port control access that prevents unauthorized access to information, particularly to\n       personally identifiable information (PII) and other sensitive data\n\nFor the principle criteria used for this review see Appendix C.\n\n\n\n\nReport No. A-18-12-30420                                                                13\n\x0c                                                                                    APPENDIX C\n\n\n             APPENDIX C: CRITERIA AND FEDERAL REQUIREMENTS\n\nInventory Management\n\nNIST SP 800-53, Page F-44, Revision 3, Information Security, dated August 2009, CM-8\nInformation System Component Inventory \xe2\x80\x93 The organization develops, documents, and\nmaintains an inventory of information system components that: Accurately reflects the current\ninformation system; Is consistent with the authorization boundary of the information system; Is\nat the level of granularity deemed necessary for tracking and reporting; and is available for\nreview and audit by designated organizational officials. This includes the following control\nenhancements:\n         1.      The organization updates the inventory of information system components as an\n                 integral part of component installations, removals, and information system\n                 updates.\n         2.      The organization employs automated mechanisms to help maintain an up-to-date,\n                 complete, accurate, and readily available inventory of information system\n                 components.\n\nNIST SP 800-53 Rev 3, section CM-8; page F-44 \xe2\x80\x93 Information System Component Inventory:\n\n       \xe2\x80\x9cSupplemental Guidance: Information deemed to be necessary by the organization to\n       achieve effective property accountability can include, for example, hardware inventory\n       specifications (manufacturer, type, model, serial number, physical location), software\n       license information, information system/component owner, and for a networked\n       component/device, the machine name and network address.\xe2\x80\x9d\n\nHHS-OCIO Policy for Information Systems Security and Privacy Handbook, Section 1.8,\nP-AM.2 and P-AM.3, page 11, states all assets shall be tracked in an asset inventory database\nto include (at a minimum) name, location, asset identification (ID), owner, and description of\nuse. Section 1.8 further states that OPDIVs: Develop and conduct procedures for verifying\naccuracy for OPDIV or STAFFDIV IT asset inventories. Collaborate with Designated\nApproving Authorities (DAAs)/Authorizing Officials (AOs), Information System Security\nOfficers (ISSOs), field technicians, and others as necessary to conduct verification procedures.\nEngage/use the HHS Property Management Information System, as appropriate.\n\nHHS-OCIO Policy for Information Systems Security and Privacy Handbook, Section 2.8,\nRemote Access S-RMT.1, page 42, states \xe2\x80\x93 All computers and devices, whether government-\nfurnished equipment (GFE) or contractor-furnished equipment (CFE), that require any network\naccess to a Department or OPDIV network or system shall be securely configured and meet at\nleast the following security requirements: (i) up-to-date system patches, and (ii) current anti-\nvirus software; and (iii) functionality that provides the capability for automatic execution of\ncode disabled.\n\nHHS Logistics Management Manual (LMM) Policy and Procedures, Executive Summary\nsection page iii and page 3, states that the "management of property and other programs and\nactivities"; to include ordering, receiving, storing, distributing, accounting for, maintaining, and\nReport No. A-18-12-30420                                                                  14\n\x0c                                                                                  APPENDIX C\n\ndisposing of supplies and equipment. This includes the Departmental Property Management\nInformation System (PMIS), which is used to track Property Plant and Equipment (PP&E)\nrecords. PMIS provides reasonable assurances that funds, property, and other assets are\nprotected against waste, loss, unauthorized use, or misappropriation. The PMIS is the\nenterprise-wide PP&E management system as mandated by ASAM on June 24, 2004.\nFurthermore, in section 1.1.8 of the manual it also states that HHS logistics OPDIVs and\nSTAFFDIVs shall use the Department\xe2\x80\x99s PMIS as the PP&E System of Record. All other legacy\nsystems are not the System of Record, and shall be decommissioned.\n\nPatch Management\n\nNIST SP 800-40, Version 2, Creating a Patch and Vulnerability Management Program, page\nES-1 and page 2-2, par 8, executive summary states that timely patching is critical to maintain\nthe operational availability, confidentiality, and integrity of IT systems. It also states that a\ncentral patch and vulnerability group (PVG) should deploy patches automatically to IT devices\nusing enterprise patch management tools. Automated patching tools allow an administrator to\nupdate hundreds or even thousands of systems from a single console.\n\nNIST SP 800-53, Page F-44, Revision 3, Information Security, dated August 2009, CM-8\nInformation System Component Inventory \xe2\x80\x93 The organization develops, documents, and\nmaintains an inventory of information system components that: Accurately reflects the current\ninformation system; Is consistent with the authorization boundary of the information system; Is\nat the level of granularity deemed necessary for tracking and reporting; and is available for\nreview and audit by designated organizational officials. This includes the following control\nenhancements:\n\n      1.      The organization updates the inventory of information system components as an\n      integral part of component installations, removals, and information system updates.\n      2.      The organization employs automated mechanisms to help maintain an up-to-date,\n      complete, accurate, and readily available inventory of information system components.\n\nNIST SP 800-53 Rev 3, section CM-8; page F-44 \xe2\x80\x93 Information System Component\nInventory:\n\n      \xe2\x80\x9cSupplemental Guidance: Information deemed to be necessary by the organization to\n      achieve effective property accountability can include, for example, hardware inventory\n      specifications (manufacturer, type, model, serial number, physical location), software\n      license information, information system/component owner, and for a networked\n      component/device, the machine name and network address.\xe2\x80\x9d\n\nNIST SP 800-137, section 3.4.2, page 32, states \xe2\x80\x9cOrganizations define security status reporting\nrequirements in the ISCM strategy. This includes the specific staff/roles to receive ISCM\nreports, the content and format of the reports, the frequency of reports, and any tools to be\nused.\xe2\x80\x9d It continues: \xe2\x80\x9cOrganizations may consider more frequent reports for specific controls\nwith more volatility or on controls for which there have been weaknesses or lack of\ncompliance.\xe2\x80\x9d\nReport No. A-18-12-30420                                                                15\n\x0c                                                                                    APPENDIX C\n\n\n\nHHS-OCIO Policy for Information Systems Security and Privacy Handbook, Section 2.10\nPersonally-Owned Equipment and Software (POES) states:\nS-POES.1, page 44 \xe2\x80\x93 Prohibit connection of personally-owned equipment to Department\nsystems or networks without written authorization from the appropriate OPDIV CIO or his/her\ndesignated representative.\nS-POES.1.1, page 44 \xe2\x80\x93 Scan personally-owned equipment that has received the proper written\nauthorization to ensure it complies with OPDIV/STAFFDIV system requirements (e.g., updated\npatches) before connecting it to Department systems or networks. Note: Use of personally-\nowned equipment or CFE on government networks is recognized as potentially introducing a\nhigh level of risk to the government computing infrastructure. These connections shall only be\npermitted as a risk-based decision made by the OPDIV CIO or his/her designated\nrepresentative.\nS-POES.4, page 44 \xe2\x80\x93 Prohibit personally-owned or non-Department equipment from\nprocessing, accessing, or storing PII unless approved in writing by the OPDIV SOP.\n\nHHS-OCIO Policy for Information Systems Security and Privacy Handbook, Section 2.8,\nRemote Access S-RMT.1, page 42, states \xe2\x80\x93 All computers and devices, whether government-\nfurnished equipment (GFE) or contractor-furnished equipment (CFE), that require any network\naccess to a Department or OPDIV network or system shall be securely configured and meet at\nleast the following security requirements: (i) up-to-date system patches, and (ii) current anti-\nvirus software; and (iii) functionality that provides the capability for automatic execution of\ncode disabled.\n\nAntivirus Management\n\nNIST 800-42, page 3-9, section 3.7, Virus Detectors; paragraph 6; states that the most\nimportant aspect of virus detection software is frequent, regular updates of virus definition files\nand on-demand updates when a major virus is known to be spreading throughout the Internet.\nWhen the database is updated frequently, the anti-virus software will detect more viruses. If\nthese preliminary steps are taken, the chances of a major virus infection are minimized.\n\nHHS OCIO Handbook, Section 1.6 P-CM.14, page 9 \xe2\x80\x93 Ensure current anti-virus software is\nincluded, as appropriate, on systems connected to the HHS network, and that the software is\nconfigured to automatically perform periodic virus scanning.\n\nHHS-ITIO Standard Operating Procedures for Anti-Virus Management, page 4 - provides\nthe process to be followed for performing daily antivirus management for all users with access\nto the Check Point Endpoint Security console.\n\nHHS-PSC-ITIO Foreign Hardware Scanning Guide, page 3 \xe2\x80\x9cExecutive Summary\xe2\x80\x9d, states \xe2\x80\x93\n\xe2\x80\x9cHHS/ITSC Program Security Guide requires that foreign hardware whether laptops or\ndesktops to be configured with a minimum baseline security posture to include:\n\n1.    \xe2\x80\x9cEmploy industry recognized antivirus software with current signature files\xe2\x80\x9d\n\nReport No. A-18-12-30420                                                                 16\n\x0c                                                                                   APPENDIX C\n\n\nLogical Access\n\nNIST SP 800-12, section 10.2, page 112, states that effective administration of users\xe2\x80\x99 computer\naccess is essential to maintaining system security.\n\nNIST SP 800-14, section 3.5.2, page 28, generally states that organizations should have a\nprocess for (1) requesting, establishing, issuing, and closing user accounts; (2) tracking users\nand their respective access authorizations; and (3) managing these functions.\n\nNIST SP 800-53 Rev 3, section AC-2; page F-4 \xe2\x80\x93 Account Management:\n\n      \xe2\x80\x9cSupplemental Guidance: The identification of authorized users of the information\n      system and the specification of access privileges is consistent with the requirements in\n      other security controls in the security plan. Users requiring administrative privileges on\n      information system accounts receive additional scrutiny by organizational officials\n      responsible for approving such accounts and privileged access.\xe2\x80\x9d\n\nHHS-OCIO Policy for Information Systems Security and Privacy Handbook, Section 2.8,\nRemote Access S-RMT.1, page 42, states \xe2\x80\x93 All computers and devices, whether government-\nfurnished equipment (GFE) or contractor-furnished equipment (CFE), that require any network\naccess to a Department or OPDIV network or system shall be securely configured and meet at\nleast the following security requirements: (i) up-to-date system patches, and (ii) current anti-\nvirus software; and (iii) functionality that provides the capability for automatic execution of\ncode disabled.\n\nHHS-OCIO Policy for Information Systems Security and Privacy Handbook, page 49\nSection 2: HHS Assignments and Selections in accordance with NIST SP 800-53 Rev. 3 states:\n\n      \xe2\x80\x9cThe information system automatically disables inactive accounts after\xe2\x80\xa660 days or\n      less.\xe2\x80\x9d\n\nHHS-OCIO Policy for Information Systems Security and Privacy Handbook, page 40\nSection 1: Department-wide Program-level and System-level Controls; subsection 2.5\nPasswords; paragraph states:\n\n      \xe2\x80\x9cS-PSWD.3 \xe2\x80\x93 Ensure passwords are changed at least every 60 days, immediately in the\n      event of known or suspected compromise, and immediately upon system installation\n      (e.g., default or vendor-supplied passwords).\xe2\x80\x9d\n\nITIO SOP \xe2\x80\x93 User Account Creation/Removal/Permission Procedures version 2.4, page 2,\ngenerally states ITIO\xe2\x80\x99s procedures for New Employee Account Creation, Current Employee\nAccount Transfer, Departing Employees, Permissions Requests and Monthly Disable/Delete\nProcess.\n\nUSB Port Control Access\n\nReport No. A-18-12-30420                                                                 17\n\x0c                                                                                   APPENDIX C\n\nNIST SP 800-53 Revision 3, section SI-3, page F-125, Recommended Security Controls for\nFederal Information Systems and Organizations, states that the organization \xe2\x80\x9cEmploys malicious\ncode protection mechanisms at information system entry and exit points and at workstations,\nservers, or mobile computing devices on the network to detect and eradicate malicious code:\n    \xe2\x80\xa2 Transported by electronic mail, electronic mail attachments, web accesses, [USB\n        devices], or other common means; or\n    \xe2\x80\xa2 Inserted through the exploitation of information system vulnerabilities \xe2\x80\xa6.\xe2\x80\x9d\n\n\nSAMHSA\xe2\x80\x99s Information Technology Security Program Policy states that \xe2\x80\x9cSAMHSA shall\nensure appropriate physical security controls are in place to protect all Agency electronic media\nfrom unauthorized access. Electronic media may include disk drives, diskettes, internal and\nexternal hard drives, portable devices, backup media, removable media, and media containing\nsensitive information. Electronic media containing sensitive and privacy data shall be\nencrypted.\xe2\x80\x9d\n\n\xe2\x80\x9cAll SAMHSA laptop computers shall be secured using a FIPS 140-2 compliant whole-disk\nencryption solution.\xe2\x80\x9d\n\n\n\n\nReport No. A-18-12-30420                                                                18\n\x0c                                                              SAMHSA\'S COMMENTS                                          APPENDIXD \n\n    ~ Subatence Abuse and Mental Haallh Services Admlnlatratfon\n\n\n\n\n  ~5/JMlf!itl\n.........  www.aamhaa.gov \xe2\x80\xa2 1-877\xc2\xb7SAMHSA\xc2\xb77 (1\xc2\xb7877\xc2\xb7726\xc2\xb74727)\n\n\n            ~        .. ............        ~~~~~      .................... ....................                               ~~-~-~       .........\n\n                                                                    JUN 2 8 2013\n\n\n\n                TO: \t                Director of Information System Auditor\n                                                                                                      -~--\xc2\xb7-\xc2\xb7   ... ... ....\n\n\n                FROM: \t              Deputy Administrator for Operations               / / ..,.---\xc2\xad\n\n                                                                                   ~ices Administration\'s\n                                                                                                                                      \'\n                                                                                                                                        \\\n                SUBJECT: \t           2013 Substance Abuse and Mental Heal\n                                     (SAMHSA) FISMA Audit Response                                                                  j\n                In response to the 2013 OIGFISMA Audit, attac ed is                                                                oraft\n                OIG FISMA Audit findings.\n\n\n\n\n                 Attachment\n\n\n\n\n              ~\xc2\xb7;W,                           \xc2\xa5\'~J~$~(i1, \t                                                                    \xc2\xad\n\n   Behavioral Health is Essential To Health \xe2\x80\xa2 Prevention Works \xe2\x80\xa2 Treatment is Effective \xe2\x80\xa2 People Recover\n\x0c                                 SAMHSA\'S COMMEN TS                               APPENDI XD \n\n\n\n\n                                            SAMHSA \n\n\n\n\n\n            SAMHSA OIG AUDIT \n\n               RESPONSE \n\n                                  Final Response\n                                          DTM IT Security\n                                            6/26/2013\n\n\n\n\nThis SAMHSA OIG Audit Response document identifies vulnerabilities discovered during the OIG Audit.\nThis document highlights the detailed findings, OIG recommendations, and SAMHSA\'s detailed Plan of\nAction to remediate these items and improve overall security at SAMHSA and HHS.\n\x0c                                 SAMHSA\'S COMMENTS                              APPENDIXD \n\n\n\n\n\nIntroduction\nOn May 31,2013, the Division of Technology and Management (DTM) was provided with a\ndraft copy of the Depattment of Health and Human Services\' (HHS) Office of the Inspector\nGeneral (OIG), Audit A-18-12-30420 report titled, Information Security Weaknesses Poses Risk\nto Operations and Mission ofSAMHSA.\n\nThe report identifies five categories of vulnerabilities and makes 17 recommendations to\nimpmve security at HHS. SAMHSA concurs with the noted findings and has planned multiple\nactivities to impmve and/or remediate most ofthe items. Most of the suggested\nrecommendations encourage SAMHSA to have more oversight and control on the outsourced\nnetwork infrastructure and IT asset services managed by the Information Technology\nInfrastructure and Operations (ITIO).\n\nThe overall pmcess of SAMHSA will be to work in collaboration with the ITIO to track progress\nagainst the plans that are in place to address the OIG recommendations, coordinate remediation\neffotts, and ensure appropriate tracking of outstanding items in their respective plans of action\nand milestones (POA&M). SAMHSA expects ITIO to be responsible for assessing their own\nrisks with regards to each OIG finding and recommendation and to develop POA&Ms to\nproperly address the recommendations. SAMHSA\'s POA&M will include items managed by\nthe ITIO to ensure remediation efforts are uniformly tracked and properly mitigated.\nAdditionally, SAMHSA will develop an internal audit review process by which to monitor and\ngrade ITIO\'s performance.\n\n\n\n\n                                                1\n\n\x0c                                        SAMHSA\'S COMMENTS                              APPENDIXD \n\n\n\n\n\n OIG Findings and SAMHSA Status\n This section contains a complete list ofthe recommended actions broken down by description, owner, \n\n concurrence and status: Status is ftuther broken down into: \n\n\n      \xe2\x80\xa2 \t Open: This task is still in the initial planning stages.\n\n      \xe2\x80\xa2 \t In Progress: Plans for this task have begun to be implemented and ai\xc2\xb7e in development towards\n          full mitigation or remediation.\n\n      \xe2\x80\xa2 \t Complete: This task is complete.     1\n\n\n\n  SAMHSA will be sure to keep this Summary offindings ctment with the latest status for remediating the\n\xc2\xb7 listed recommendations;\n\n Table 2. HHS OIG MJR Response Summary\n\n\n\n\n             Implements the Departmental\n             Property Management Infonnation\n             System (PMIS) in order to provide\n             a continuous monitoring program\n Rl                                                       SAMHSACISO         Yes                  Open\n             to \xc2\xb7SAMHSA that will accurately\n             account for all IT assets, and\n             provide comprehensive reporting\n             to the SAMHSA Chief Information\n             Officer\n             Updates inventory to include all             SAMHSACISO         Yes                  In\n             computers and servers connecting                                                     Progress\n             to the SAMHSA network that are\n R2          managed by ITIO. Employ\n             controls that ensure an effective\n             method for tracking computer\n\n             Upgrades or replace all servers              SAMHSACISO         Yes                  In\n R3          with End-of-Life (EOL) operating                                                     Progress\n             systems to operating systems\n                           the vendor.\n             Security team ensures that patch             SAMHSACISO         Yes                  Open\n R4          repotts are accessible to\n             SAMHSA\'s Chieflnfonnation\n                      Officer.\n\n\n\n\n                                                         2\n\n\x0c                                     SAMHSA\'S COMMEN TS                         APPENDI XD \n\n\n\n\n                                                                      Agree with\nFindiug   Dcsuiption                               Owner \t            Htco mmcnd atio n   Status\n                                                                      (Yes/No)\n\n          Should reconcile SAMHSA\'s                   SAMHSACIS O     Yes                 Open\n          inventory and patch report data, at\nRS\n          least monthly, to determine\n          whether all assets are appropriately\n          patched.\n          Update all computers and servers            SAMHSACIS O     Yes                 Open\nR6        running out of date antivirus\n          timestamp signatures.\n          Establish effective procedures to           SAMHSACIS O     .Yes                Open\nR7 \t      monitor and remediate computers\n          with out-of-date timestamp\n          sigt!_atures.\nR8        Document logging alerts that have           SAMHSACIS O \t   Yes                 Open\n          been remediated.\n          Add the following processes to              SAMHSACIS O     Yes                 Open\n           ITIO\'s Infrastmcture Operations\n           Standard Operating Procedure \n\n           (SOP): \n\nR9 \t       - Follow-Up process for\n           computers not in compliance with\n           latest antivirus time stamps within\n           SOP.\n           - Process for server antivirus\n           management.\n           Create naming conventions that              SAMHSACIS O    Yes                 Open\nRIO \t      include computer names that will\n           defme which organization it has\n           been assigned to.\n           Disable accounts inactive greater           SAMHSACIS O    Yes                 In\n           than 60 days and subsequently                                                  Progress\nRll\n           delete accounts determined to be \n\n           no longer needed \xc2\xb7greater than 90 \n\n            days. \n\nR12 \t      Delete user accounts oftetminated           SAMHSACIS O     Yes                 Open \n\n            em"Qloyees. \n\n            Should disable, delete, or provide a       SAMHSACIS O     Yes                 Open \n\nRI3\n            waiver for the user account with a\n            password status of"Not Required,\n            Periodically review access user            SAMHSACIS O     Yes                 Open\nR14\n            control lists to determine if\n            accounts are still needed.\n            Restrict personnel from connecting         SAMHSACIS O     Yes                 Open\nRl5\n            unauthorized USB devices to \n\n            computers. \n\n\n\n\n\n                                                       3\n\n\x0c                                   SAMHSA\'S COMMENTS                    APPENDIXD \n\n\n\n\n                                                              Agn\xc2\xb7t\xc2\xb7 with\nFinding   Description                         OwnlT           Rccom mend a tion   Status\n                                                              (Yes/No)\n\n          Prevent sensitive data from being     SAMHSACISO    Yes                 Open\nR16       written to\n          unauthorized/unenc1ypted USB\n          devices.\n          Enforce the Department                 SAMHSACISO   Yes                 Open\n          information security policy that\nRl7       restricts the connection of\n          personally owned equipment to\n          Depm1ment systems or networks.\n\n\n\n\n                                                4\n\n\x0c                                 SAMHSA\'S COMMENTS                              APPENDIXD\n\n\n\n\nSAMHSA Detailed Plan of Action\nSAMHSA acknowledges the importance of identifying potential security threats and will address\nall relevant identified weaknesses in a timely manner. Related to the Inspector General (IG) five\ncategories ofvulnerabilities SAMHSA plans to take the following steps ofremediation:\n\n\n\nFinding #1: Inventory Management- The records given to us by ITIO had different totals of\ncomputers it managedfor SAMHSA. Inventory was not tracked and managed effectively and\ntherefore neither ITIO nor SAM!fSA was able to accountfor all SAMHSA IT assets and ensure\ntheir security compliance\n\nSuggested Remediation Actions:\n\n    \xe2\x80\xa2 \t Implement the Departmental Property Management Information System (PMIS) in order\n        to provide a continuous monitoryprogram to SAMSHA that will accurately accountfor\n        all IT assets, andprovide comprehensive reporting to the SAMHSA ChiefInformation\n        Officer (CIO.)\n    \xe2\x80\xa2 \t Updates inventory to include all computers and servers connecting to the SAMHSA\n        network that are managed by ITIO.\n    \xe2\x80\xa2 \t Upgrades or replaces all servers with End-of-Life (EOL) operating systems to operating\n        systems supported by the vendor.\n\n\n\nSAMHSA Response:\n\nSAMHSA concurs with Finding #1 and the OIG suggested remediation actions and plans to take\nthe following steps of remediation:\n\n    1. \t SAMHSA team will meet with ITIO on bi-weekly basis to get status updates on the\n         Implementation of Depattmental Propetty Management Information System (PMIS) and\n         provide assistance necessary to complete this task.\n    2. \t SAMHSA team will coordinate with ITIO to resolve IT assets inventory discrepancies.\n         SAMHSA team will also work with ITIO on selecting one inventory management tool\n         used by both teams to account for and report all IT assets.\n    3. \t SAMHSA team will ensure that the inventory management tool selected will provide\n         operating system software infonnation which will allow SAMHSA and ITIO to identify\n         systems that are running operating systems that are no longer supported by the vendor\n         and create a plan for updating these systems.\n\n\n\nFinding #2: Patch Management- SAMHSA did not ensure that JTIO had effectively \n\nimplemented its patch managementprogram for those devices managed by ITIO. We identified \n\n\n\n                                                 5\n\n\x0c                                SAMHSA\'S COMMENTS                              APPENDIXD \n\n\n\n\nvulnerabilities within the SAMHSA network that if exploited could have led to unauthorized\ndisclosure, modification, or non-availability ofcritical data.\n\nSuggested Remediation Actions:\n\n   \xe2\x80\xa2 \t Security team ensures thatpatch reports are accessible to SAMHSA ChiefInformation\n       Security officer.\n   \xe2\x80\xa2 \t Should reconcile SAMHSA \'s inventory and patch report data, at least monthly, to \n\n       determine whether all assets are appropriately patched \n\n\nSAMHSA Response:\n\nSAMHSA concurs with Finding #2 and the OIG suggested remediation actions and plans to take\nthe following steps of remediation:\n\n    1. \t SAMHSA team will request on a bi-weekly basis a patch implementation report from\n         ITIO and will provide these reports to SAMHSA\'s Chieflnformation Security Officer\n         (CISO) on a schedule that the CISO selects.\n    2. \t SAMHSA team will meet with ITIO on a bi-weekly/monthly basis to reconcile inventory,\n         patching or antivirus compliance reports.\n\n\n\nFinding #3: Antivirus Management -ITIO and SAMHSA did not ensure that all ofthe\nSAMHSA computers and servers managed by ITIO had updated antivirus signatures.\n\nSuggested Remediation Actions:\n\n    \xe2\x80\xa2 \t Update all computers and servers running out ofdate antivirus timestamp signatures.\n    \xe2\x80\xa2 \t Establish effective procedures to monitor and remediate computers with out-of-date\n        timestamp signatures.\n    \xe2\x80\xa2 \t Document logging alerts that have been remediated\n    \xe2\x80\xa2 \t Add the following processes to ITIO \'s Infrastructure Operations Standard Operating\n        Procedure (SOP):\n\n        -Follow-up proce~s for computers not in compliance with the latest antivirus time stamps\n        within SOP.\n\n        -Processfor server antivirus management.\n\n    \xe2\x80\xa2 \t Create naming conventions that include computer names that will define which \n\n        organization it has been assigned to. \n\n\n\n\n\n                                                6\n\n\x0c                                SAMHSA\'S COMMENTS                              APPENDIXD\n\n\n\n.SAMHSA Response:\n\nSAMHSA concurs with Finding #3 and the OIG suggested remediation actions and plans to take\nthe following steps of remediation:\n\n   l. \t SAMHSA team will request ITIO to provide reports on bi-weekly basis that details\n        antivirus engine and signature timestamps for all ITIO owned and managed computers\n        and servers used for SAMHSA\' s operations.\n   2. \t SAMHSA team will request ITIO create a plan of action for monitoring and\xc2\xb7remediating\n        computers with out-of~date timestamp signatures.\n   3. \t SAMHSA team will request on a bi~weekly basis a report from ITIO detailing applicable\n        security patch application on all ITIO owned and managed computers and servers used\n        for SAMHSA\'s operations.\n   4. \t SAMHSA team will verify that ITIO\'s Infrastructure Operations Standard is updated\n        with the following: Follow-up process for computers not in compliance with latest\n        antivirus time stamps, Process for server antivirus management.\n   5. \t SAMHSAteam will work with ITIO in creating naming conventions within Active\n        Directory for all ITIO owned and managed computers and servers used for SAMHSA\'s\n        operations.\n\n\n\nFinding #4: Logical Access -ITIO and SAMHSA did not implement an effective logical access\ncontrolprocess for its user accounts and did not conduct sufficient reviews to ensure that only\nvalid users had access to their information system.\n\nSuggested Remediation Actions:\n\n    \xe2\x80\xa2 \t Disable accounts inactive greater than 60 days and subsequently delete accounts \n\n        determined to be no longer needed greater than 90 days. \n\n    \xe2\x80\xa2 \t Delete user accounts ofterminated employees.\n    \xe2\x80\xa2 \t Should disable, delete, or provide a waiver for the user account with a password status of\n         f(Not Required "\n    \xe2\x80\xa2 \t Periodically review access user control lists to determine if accounts are still needed.\n\n\n\nSAMHSA Response:\n\nSAMHSA concurs with Finding #4 and the OIG suggested remediation actions and plans to take\nthe following steps of remediation:\n\n        1. SAMHSA team will coordinate a meeting with ITIO to ensure technical controls are\n           implemented to disable accounts inactive gt\xc2\xb7eater than 60 days and subsequently\n           delete accounts determined to be no longer needed greater than 90 days for all ITIO\n           owned and managed computers and servers used for SAMHSA\'s operations.\n\n\n\n                                                7\n\n\x0c                               SAMHSA\'S COMMENTS                              APPENDIXD \n\n\n\n\n      2. \t SAMHSA team will coordinate a meeting with ITIO to review the process of deleting\n           user accounts of terminated employees and ensure technical controls are implemented\n           to enforce this process.\n      3. \t SAMHSA team will coordinate a meeting with ITIO to verify that all accounts with\n           password status of\'\'Not Required" are disabled, deleted, or a waiver has been\n           provided for the user account and ensure technical controls are implemented to\n           enforce this.\n      4. \t SAMHSA team will coordinate a meeting with ITIO to verify access user control list\n           review is documented and performed periodically.\n\n\n\nFinding #5: USB Port Control Access- ITIO and SAMHSA did not have any technical\ncontrols to prevent unauthorized and unencrypted USB devices from connecting to SAMHSA\ncomputer.\n\nSuggested Remediation Actions:\n\n   \xe2\x80\xa2 \t Restrict personnelfrom connecting unauthorized USB devices to computer.\n   \xe2\x80\xa2 \t Prevent sensitive data from being written to unauthorized /unencrypted USB devices. .\n   \xe2\x80\xa2 \t Enforce the Department information security policy that restricts the connection of\n       personally owned equipment to Department systems or networks.\n\n\n\nSAMHSA Response:\n\nSAMHSA concurs with Finding #5 and the OIG suggested remediation actions and plans to take\nthe following steps of remediation:\n\n       1. \t SAMHSA team will coordinate a meeting with ITIO to ensure technical controls are\n            implemented to restrict personnel from connecting unauthorized USB devices to ITIO\n            owned and managed computers and servers used for SAMHSA\'s operations.\n       2. \t SAMHSA team will coordinate a meeting with ITIO to ensure technical controls are\n            implemented to prevent sensitive data from being written to\n            unauthorized/unencrypted USB devices on ITIO owned and managed computers and\n            servers used for SAMHSA\'s operations.\n       3. \t SAMHSA team will coordinate a meeting withiTIO to ensure technical controls are\n            implemented to enforce HHS information security policy that restricts the connection\n            of personally owned equipment to SAMHSA systems or networks.\n\n\n\n\n                                               8\n\n\x0c                                 SAMHSA\'S COMMENTS                              APPENDIXD\n\n\n\nSummary of SAMHSA Response:\n\nIn conclusion SAMHSA acknowledges it needs to strengthen its communication and\ncollaboration with the ITIO. Most, ifnot all, ofthe suggested OIG recommendations require\nSAMHSA to communicate and have more visibility of the outsourced network services managed\nby the ITIO. SAMHSA appreciates the OIG review and will utilize the recommendations to\nensure the continued confidentiality, integrity and availability of SAMHSA infmmation and\ninformation assets~\n\nIn SAMHSA response to the OIG recommendations the common dynamic is the engagement in\nmore recurring meetings. These meetings will be structured to repeat the same processes the\nOIG exercised that revealed the security fmdings. SAMHSA is confident that its planned\nresponses will result in a more strengthened security program that is more vigilant and aware of\nthe success ofthe network services provided. SAMHSA expects full cooperation and timely\nparticipation from the ITIO to remediate the suggested recommendations in a timely manner.\n\n\n\n\n                                                9\n\n\x0c'